PMK or PTK instead of PSK in radius response when wpa_psk_radius=2 or wpa_psk_radius=3

Alan DeKok aland at
Mon Dec 4 15:43:24 PST 2023

On Dec 4, 2023, at 4:22 PM, Daniel S <timeport0 at> wrote:
> Is there a way(or why you shouldn't/couldn't) to provide the
> PMK(perhaps via MS-MPPE-Recv-Key) instead of a cleartext
> Tunnel-Password as a radius response?

  MS-MPPE-Recv-Key already has a defined meaning.  You can't change that meaning without changing all pieces of software which use it.

> It would solve the less-than-ideal situation of storing and
> transmitting PSKs in cleartext or reversible encryption.

  I'm not sure what you're getting at.  MS-MPPE-Recv-Key and Tunnel-Password are both protected with reversible encryption.  Neither of them send data in clear text.

> I tried as a test just sending the PMK or PTK back as MS-MPPE-Recv-Key
> as in EAP but seems that didn't do the trick.

  Of course.  If you put IPv6 addresses into an IPv4 field it won't work, either.

  The protocols and attributes have defined meaning.  You can't just put different data into an attribute and expect the systems to understand what you intend.

  Alan DeKok.

More information about the Hostap mailing list